Supervision
Supervision and consumer protection are cornerstones of the FDIC’s efforts to ensure the stability of, and public confidence in, the nation’s financial system. The FDIC’s supervision program promotes the safety and soundness of FDIC-supervised financial institutions, protects consumers’ rights, and promotes community investment initiatives.
Examination Program
The FDIC’s strong bank examination program is at the core of its supervisory program. As of December 31, 2018, the FDIC was the primary federal regulator for 3,495 FDIC-insured, state-chartered institutions that were not members of the Federal Reserve System (generally referred to as “state nonmember” institutions). Through risk management (safety and soundness), consumer compliance, Community Reinvestment Act (CRA), and other specialty examinations, the FDIC assesses an institution’s operating condition, management practices and policies, and compliance with applicable laws and regulations.
As of December 31, 2018, the FDIC conducted 1,492 statutorily required risk management examinations, including reviews of Bank Secrecy Act (BSA) compliance, and all required follow-up examinations for FDIC-supervised problem institutions, within prescribed time frames. The FDIC also conducted 1,215 statutorily required CRA/consumer compliance examinations (876 joint CRA/consumer compliance examinations, 337 consumer compliance-only examinations, and two CRA-only examinations). In addition, the FDIC performed 3,334 specialty examinations (which include reviews for BSA compliance) within prescribed time frames.
The table below illustrates the number of examinations by type, conducted from 2016 through 2018.
| 2018 | 2017 | 2016 | |
|---|---|---|---|
| Risk Management (Safety and Soundness): | |||
| State Nonmember Banks | 1,333 | 1,440 | 1,563 |
| Savings Banks | 159 | 171 | 164 |
| State Member Banks | 0 | 0 | 0 |
| Savings Associations | 0 | 0 | 0 |
| National Banks | 0 | 0 | 0 |
| Subtotal─Risk Management Examinations | 1,492 | 1,611 | 1,727 |
| CRA/Consumer Compliance Examinations: | |||
| Consumer Compliance/Community Reinvestment Act | 876 | 770 | 709 |
| Consumer Compliance-only | 337 | 393 | 594 |
| CRA-only | 2 | 5 | 8 |
| Subtotal─CRA/Compliance Examinations | 1,215 | 1,168 | 1,311 |
| Specialty Examinations: | |||
| Trust Departments | 308 | 347 | 351 |
| Information Technology and Operations | 1,503 | 1,627 | 1,742 |
| Bank Secrecy Act | 1,523 | 1,640 | 1,761 |
| Subtotal─Specialty Examinations | 3,334 | 3,614 | 3,854 |
| Total | 6,041 | 6,393 | 6,892 |
Risk Management
All risk management examinations have been conducted in accordance with statutorily-established time frames. As of September 30, 2018, 71 insured institutions with total assets of $53.3 billion were designated as problem institutions for safety and soundness purposes (defined as those institutions having a composite CAMELS1 rating of 4 or 5). By comparison, on September 30, 2017, there were 104 problem institutions with total assets of $16.0 billion. This represents a 32 percent decline in the number of problem institutions and a 233 percent increase in problem institution assets.
For the 12 months ended September 30, 2018, 45 institutions with aggregate assets of $7.4 billion were removed from the list of problem financial institutions, while 12 institutions with aggregate assets of $45.6 billion were added to the list. The FDIC is the primary federal regulator for 52 of the 71 problem institutions, with total assets of $7.3 billion.
In 2018, the FDIC’s Division of Risk Management Supervision (RMS) initiated 156 formal enforcement actions and 95 informal enforcement actions. Enforcement actions against institutions included, but were not limited to 13 actions under Section 8(b) of the Federal Deposit Insurance Act (FDI Act), all of which were consent orders, and 94 memoranda of understanding (MOUs). Of these enforcement actions against institutions, eight consent orders and 20 MOUs were based, in whole or in part, on apparent violations of BSA and anti-money laundering (AML) laws and regulations. In addition, enforcement actions were also initiated against individuals. These actions included, but were not limited to, 52 removal and prohibition actions under Section 8(e) of the FDI Act (50 consent orders and two notices of intention to remove/prohibit), three actions under Section 8(b) of the FDI Act (two orders to pay restitution, and one notice of charges), and 11 civil money penalty (CMPs) (10 orders to pay and one notice of assessment).
The FDIC continues its risk-focused, forward-looking supervision program by assessing risk management practices during the examination process to ensure that risks are mitigated before they lead to financial deterioration.
Consumer Compliance
As of December 31, 2018, 35 insured state nonmember institutions, about 1 percent of all supervised institutions, with total assets of $39 billion, were problem institutions for consumer compliance, CRA, or both. All of the problem institutions for consumer compliance were rated “4” for consumer compliance purposes, with none rated “5.” For CRA purposes, the majority were rated “Needs to Improve,” and only two were rated “Substantial Noncompliance.” As of December 31, 2018, all follow-up examinations for problem institutions were performed on schedule.
As of December 31, 2018, the FDIC conducted substantially all required consumer compliance and CRA examinations and, when violations were identified, completed follow-up visits and implemented appropriate enforcement actions in accordance with FDIC policy. In completing these activities, the FDIC substantially met its internally-established time standards for the issuance of final examination reports and enforcement actions.
Overall, banks demonstrated strong consumer compliance programs. The most significant consumer protection issue that emerged from the 2018 consumer compliance examinations involved banks’ failure to adequately monitor third-party vendors. For example, the FDIC found violations involving unfair or deceptive acts or practices, such as failure to disclose material information about product features and limitations, deceptive marketing and sales practices, and misrepresentations about the costs of products. The FDIC issued orders requiring the payment of CMPs to address these violations.
As of December 31, 2018, the FDIC’s Division of Depositor and Consumer Protection (DCP) initiated 21 formal enforcement actions and 13 informal enforcement actions to address consumer compliance concerns. This included three restitution orders, four consent orders, 13 CMPs, one Notice of Assessment, and 13 MOUs. Restitution orders are formal actions that require institutions to pay restitution in the form of consumer refunds for violations of law. In 2018, these orders required the payment of approximately $21.3 million to harmed consumers. As of December 31, 2018, the CMP orders totaled $3,556,766.
Large Bank Supervision Program
The Large Bank Supervision Branch within RMS addresses the growing complexity of large banking organizations with assets exceeding $10 billion and not assigned to the Complex Financial Institution (CFI) Group. This branch is responsible for supervisory oversight, ongoing monitoring, and resolution planning, while supporting the insurance business line. For state nonmember banks with assets exceeding $10 billion, the FDIC generally applies a continuous examination program, whereby dedicated staff conducts ongoing on-site supervisory examinations and institution monitoring. The FDIC also has dedicated on-site examination staff at select banks for which the FDIC is not the primary federal regulator. These examiners work closely with other financial institution regulatory authorities to identify emerging risks and assess the overall risk profile of large institutions.
The Large Insured Depository Institution (LIDI) Program remains the primary instrument for off-site monitoring of IDIs with $10 billion or more in total assets not assigned to CFI Group. The LIDI Program provides a comprehensive process to standardize data capture and reporting for large and complex institutions nationwide, allowing for quantitative and qualitative risk analysis. In 2018, the LIDI Program covered 116 institutions with total assets of $6.2 trillion. The LIDI Program supports effective large bank supervision by using individual institution information to focus resources on higher-risk areas, determine the need for supervisory action, and support insurance assessments and resolution planning.
The Shared National Credit (SNC) Program is an interagency initiative administered jointly by the FDIC, the Office of the Comptroller of the Currency (OCC), and the Federal Reserve Board (FRB) to ensure consistency in the regulatory review of large, syndicated credits, as well as to identify risk in this market, which comprises a large volume of domestic commercial lending. In 2018, outstanding credit commitments identified in the SNC Program totaled $4.4 trillion. The FDIC, OCC, and FRB report the results of their review in an annual, joint public statement.
In the first quarter of 2018, the Large Bank Supervision Branch completed a horizontal credit-risk rating assessment at 16 large FDIC-supervised institutions to evaluate transparency and effectiveness of their internal credit-risk rating systems. The findings of this horizontal assessment were summarized in a Supervisory Insights article published in September 2018.2
Operational Risk Supervision Program
Information Technology and Cybersecurity
The FDIC examines information technology (IT), including cybersecurity, at each bank it supervises as part of the risk management examination. Examiners assign an IT rating using the Federal Financial Institutions Examination Council’s (FFIEC) Uniform Rating System for Information Technology (URSIT), and the IT rating is incorporated into the management component of the CAMELS rating, in accordance with the FFIEC’s Uniform Financial Institutions Rating System (UFIRS).
The FDIC continued to enhance its IT supervision in 2018. Examiners used the Information Technology Risk Examination Program (InTREx), which includes cybersecurity components, to conduct IT examinations. Examiners provided results and recommended actions to institutions to address IT, cybersecurity, and other operational risks. During the year, the FDIC also analyzed the effectiveness and efficiency of this examination program by reviewing workpapers and reports of examination comments. Together with the Federal Reserve and the Conference of State Bank Supervisors, adjustments to InTREx are being considered and implemented. In addition, the FDIC held an IT Security Training Conference to provide continuing education to RMS IT subject matter experts and IT examiners on risks facing the industry, and examination policy.
In October 2018, the FDIC and other FFIEC members conducted a webinar and published a Cybersecurity Resource Guide for Financial Institutions to raise awareness about the importance of cybersecurity. The webinar provided an overview of the resource guide, and featured a guest speaker from the Department of Homeland Security National Cybersecurity and Technical Services (NCATS) team who provided information on the NCATS’ Cyber Hygiene program. This program’s goal is to secure internet-accessible systems by continuously scanning for known vulnerabilities and configuration errors at no cost to financial institutions.
In October 2018, the FDIC also published new vignettes for Cyber Challenge: A Community Bank Cyber Exercise. Cyber Challenge is a series of video vignettes and discussion material that can help bank management and staff learn more about operational risk and mitigation techniques.
The FDIC, OCC, and FRB also examine IT and other operational components of service providers that support financial institutions via the continued implementation of the Cybersecurity Examination Program. During 2018, the agencies completed a horizontal interconnectivity review, as well as individual cybersecurity reviews at all significant service providers.
The FDIC continues to actively engage with both the public and private sectors to assess cybersecurity and other operational risk issues. This work includes regular meetings with the Financial and Banking Information Infrastructure Committee (FBIIC), the Financial Services Sector Coordinating Council for Critical Infrastructure Protection, the Department of Homeland Security, the Financial Services Information Sharing and Analysis Center, other regulatory agencies, and law enforcement to share information regarding emerging issues and coordinate responses.
The FDIC played a significant role in organizing FBIIC incident management communication related to areas affected by hurricanes Florence and Michael. The FDIC also actively participated in FBIIC working groups to better understand the financial sector’s vulnerability to a cybersecurity incident, and consider ways to harmonize cybersecurity supervisory efforts.
Bank Secrecy Act/Anti-Money Laundering
In 2018, the FDIC and the other federal banking agencies issued examination procedures for the customer due diligence and beneficial ownership rules, which were effective May 11, 2018. These procedures supersede similar examination instructions and procedures in the 2014 version of the FFIEC BSA/AML Examination Manual.
The FDIC, other federal banking agencies, and Financial Crimes Enforcement Network (FinCEN) evaluated opportunities to increase the efficiency and effectiveness of the BSA/AML examination process. During the year, these agencies issued two statements. The first statement discussed how banks with a community focus, less-complex operations, and lower risk profiles may share BSA resources. The second statement expressed support for banks’ innovative efforts with respect to BSA/AML compliance.
Cyber Fraud and Financial Crimes
The FDIC has undertaken a number of initiatives in 2018 to protect the banking industry from criminal financial activities. For example, the FDIC developed, sponsored, and presented a financial crimes conference that was attended by examiners, lawyers, other interested personnel from the FDIC, other banking agencies, and law enforcement agencies. The FDIC also helped financial institutions identify and shut down “phishing” websites that attempt to fraudulently obtain an individual’s confidential personal or financial information. Finally, the FDIC published an article titled “Beware of ATM, Debit and Credit Card ‘Skimming’ Schemes” in the Winter 2018 edition of the Consumer News.3
Examiner Training and Development
Examiner training continued to receive high priority and attention in 2018 on multiple fronts. The FDIC strives to deliver effective and efficient on-the-job (OJT), classroom, and computer-based instruction. A cadre of highly trained and skilled instructors provides classroom learning to FDIC examination staff, as well as staff of regulatory partners from international and state agencies. Oversight of the training program is provided by senior and mid-level management to ensure that content and delivery are effective, appropriate, and current. The FDIC works in collaboration with partners across the organization and with the FFIEC to ensure that emerging risks and topics are incorporated and conveyed timely. Examination staff at all levels benefit from targeted and tenure-appropriate content. The FDIC also recognizes the critical role peer-to-peer knowledge transfer plays in preserving institutional knowledge and experience, and encourages opportunities for employees to learn from each other.
The FDIC has undertaken a multi-year project to expand and strengthen its examiner development programs for specializations, such as IT, BSA/AML, trust, capital markets, and accounting. As banks become more specialized, enhancing examiner skills in these areas is key to ensuring an effective examination program. The goal of this project is to standardize the skills needed to examine banks of varying levels of risk and complexity in each specialty area, and to develop on-the-job training (OJT) training programs to provide opportunities for examiners to acquire higher level competencies in these specialty areas.
In 2018, the FDIC drafted specialty OJT programs in accounting, capital markets, BSA/AML, and trust. These drafts are under management review and are targeted for implementation in 2019. The agency also implemented a new intermediate IT OJT program and updated its advanced IT OJT program.
In addition, a Current Expected Credit Losses (CECL) Examiner Training and Development Plan was launched in 2018 to begin a multi-year initiative to ensure examination staff understand the requirements of the new credit losses accounting standard and are consistent in conveying the FDIC’s expectations with respect to banks’ CECL implementation efforts.
Minority Depository Institution Activities
The preservation of minority depository institutions (MDI) remains a high priority for the FDIC. In 2018, the FDIC continued to promote and support MDI and Community Development Financial Institution (CDFI) industry-led strategies for success. These strategies include increasing collaboration between MDI and CDFI bankers and other financial institutions; partnering to share costs, raise capital, or pool loans; and making innovative use of available federal programs. The FDIC supports this effort by providing outreach, education and training, and technical assistance to MDI and CDFI banks.
During 2018, the FDIC led discussions with MDI bankers and its Advisory Committee on Community Banking (CBAC) about the FDIC’s Resource Guide for Collaboration with Minority Depository Institutions. This guide, published in December 2017, encourages collaboration among MDIs and between MDIs and other institutions. The publication describes some of the ways that financial institutions, including community banks, can partner with MDIs to the benefit of all institutions involved, as well as the communities they serve. Both community banks and larger insured financial institutions have valuable incentives under the CRA to undertake ventures with MDIs, including capital investment and loan participations. In 2018, the FDIC began preparations to host roundtables and other events that would enable MDIs to engage with potential collaboration partners in 2019.
The FDIC added additional minority bankers to its CBAC to bring more diverse perspectives and input to these discussions. In addition, the agency began updating its 2014 study, “Minority Depository Institutions: Structure, Performance, and Social Impact,” for publication in 2019. In support of its statutory goal to preserve the minority character in mergers and acquisitions, the FDIC hosted outreach sessions with MDI bankers to provide an overview of the process for bidding on failed minority banks, and to offer technical assistance to banks desiring to place a bid on a failed MDI franchise. The FDIC also began planning for the 2019 Interagency Minority Depository Institution and CDFI Bank Conference, which the FDIC will host in collaboration with the OCC and FRB.
The FDIC also continuously pursued efforts to improve communication and interaction with MDIs and to respond to the concerns of minority bankers in 2018. The agency maintains active outreach with MDI trade groups and offers to arrange annual meetings between FDIC regional management and each MDI’s board of directors to discuss issues of interest. The FDIC routinely contacts MDIs to offer return visits and technical assistance following the conclusion of FDIC safety and soundness, compliance, CRA, and specialty examinations to help bank management understand and implement examination recommendations. These return visits, normally conducted within 90 to 120 days after the examination, are intended to provide useful recommendations or feedback for improving operations, not to identify new issues.
The FDIC’s website invites inquiries and provides contact information for any MDI to request technical assistance at any time.
In 2018, the FDIC provided 149 individual technical assistance sessions on nearly 50 risk management and compliance topics, including:
- Accounting,
- Bank Secrecy Act and Anti-Money Laundering,
- Community Reinvestment Act,
- Funding and liquidity,
- Information technology risk management and cybersecurity,
- Third-party oversight, and
- Troubled debt restructuring.
The FDIC also held outreach, training, and educational programs for MDIs through conference calls and regional banker roundtables. In 2018, topics of discussion for these sessions included many of those listed above, as well as collaboration and partnerships, capital markets, cybersecurity, liquidity risk, and Ombudsman services. In addition, the FDIC assisted four MDIs in the early termination of Shared Loss Agreements related to the purchase of failed bank franchises during the crisis.
Mutual Institution Activities
In July 2018, the FDIC and OCC co-hosted the 2018 Joint Mutual Forum, which was open to all mutual banking institutions regardless of charter type. Mutually owned institutions represent about 9 percent of all FDIC-insured institutions and are among the oldest form of depository institution. Attended by approximately 135 participants, the forum provided an opportunity for mutual bankers to learn about current trends and engage in a dialogue on the strengths of and challenges facing mutual institutions. The forum opened with remarks by FDIC Chairman Jelena McWilliams and Comptroller of the Currency Joseph M. Otting and featured presentations and banker panels covering topics of interest relating to the mutual industry. Key sessions focused on: Being a Mutual in Today’s Financial Services Environment, Strategic Thinking: Liquidity and Interest Rate Risk Management, a regulatory Compliance Update, and an opportunity for each agency to hold an agency-specific session to address other current matters and respond to banker inquiries.
1 The CAMELS composite rating represents the adequacy of Capital, the quality of Assets, the capability of Management, the quality and level of Earnings, the adequacy of Liquidity, and the Sensitivity to market risk, and ranges from “1” (strongest) to “5” (weakest).
2 Sandra Macias, “Credit Risk Grading Systems: Observations From a Horizontal Assessment,” Supervisory Insights 15 no. 1, Summer 2018, https://www.fdic.gov/regulations/examinations/supervisory/insights/sisum18/si-summer-2018-article02.pdf.
3 “Beware of ATM, Debit, and Credit Card ‘Skimming’ Schemes,” FDIC Consumer News, Winter 2018, https://www.fdic.gov/consumers/consumer/news/cnwin18/cardskimming.html.